Monday, August 6, 2012

BitLocker to the rescue?

I have a Lenovo T410s laptop with Windows 7 Enterprise installed. Since it was issued to me by my company its initial configurations were performed by others. To protect sensitive data in the event of physical loss my company enabled BitLocker and the on-board Trusted Platform Module (TPM). Not sure what a TPM does? From Microsoft's website:

"A Trusted Platform Module (TPM) is a microchip that is built into a computer. It is used to store cryptographic information, such as encryption keys. Information stored on the TPM can be more secure from external software attacks and physical theft."

"BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen."

Couple of things to keep in mind when a TPM is used with BitLocker. If you start changing BIOS settings like boot order, e.g., boot to CD first or add a hard drive via the option bay and move it up within the boot order, you could be faced with a scary black screen like the following:


Now what you say? Well, if you have printed out your BitLocker recovery key prior to seeing the BitLocker Recovery Key screen, then you can just type it in. If this is an Enterprise managed deployment, then your Recovery Key may be escrowed in Active Directory as well. I try and make a habit of never calling technical support so I escrowed my key using the method below.

If you want to print your BitLocker Recovery Key do the following:

Right click on the logical Drive Letter where the O/S is stored, usually the C:\ drive (should have a padlock with key icon next to it if BitLocker is enabled for the drive. From the resulting menu select "Manage BitLocker", then select "Save or Print Recovery Key Again". I printed mine and kept it with me, but separate from my laptop at all times, i.e., don't keep the printed version in your laptop bag.

There's another issue with BitLocker which might surface depending on the type of changes you performed to your system. If you just changed the boot order that should be an easy fix, just reinstate the original boot order after using the BitLocker Recovery key to boot Windows. If you performed another type of change, you might continue to see the BitLocker Recovery Key screen on every subsequent reboot. The following is what happened to me.

Symantec EndPoint Protection is installed on my laptop and it does a scan every Friday. Although usually uneventful, this time it found something suspect and recommended I install the Symantec Endpoint Protection Support Tool. I downloaded and installed the tool and because of my extreme paranoia, I selected the check box next to the Symantec Power Eraser, including the check box next to "Add bootlog rootkit analysis", just to be sure. It took sometime to complete and when I rebooted I was met with the BitLocker Recovery Key screen containing the following text:

"The boot configuration Data (BCD) settings for the following boot application have changed since Bitlocker was enabled
boot appplication: \windows\system32\winload.exe
change settings: 0x26000090

You must supply a bitlocker recovery key to start this system.

Confirm that the changes to the BCD settings are trusted.

If the changes are trusted then suspend and resume bitlocker. This will reset bitlocker to use the new BCD settings.

Otherwise restore the original BCD settings"


Well, that's not good. So I entered my BitLocker Recovery Key and Windows booted fine, but on every subsequent reboot it kept asking for the Recovery Key, not good.

After reading the message above more closely I began looking for a way to suspend and resume BitLocker. Most of the methods I found relied upon the BitLocker management app within the Control Panel, unfortunately my company's great technology support group used Group Policy Objects (GPOs) to remove it. So I searched for an alternative method. I found several articles which confused "Pausing" BitLocker with "Suspending" BitLocker. Pause is related to pausing an ongoing BitLocker encryption process, like when it's first enabled. What I needed to do was "Suspend" and then "Resume" Bitlocker.

Here's what worked for me:

Search for cmd.exe, right click on it and select "Run as Administrator". Next, run the following commands:

Manage-bde.exe –protectors –disable c:

Manage-bde.exe –protectors –enable c:


After the commands completed, I rebooted and no more BitLocker Recovery Key screen on subsequent reboots.

7 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Thanks for this information. I was able to resolve my issue with these instructions.

    ReplyDelete
  3. my concern would be that the BCD reset that occurs when suspending and resuming bitlocker just "papers over" the reason the boot config settings changed in the first place, i.e., if the boot config settings changed due to a virus, suspending and resuming bitlocker doesn't do anything about the presence of the virus, right? If that's the case, what I'm really looking for is how to get rid of the infection first, or possibly restoring my original BCD settings in order to negate the presence of the viurus. ideally, I want to wipe the virus and I'm also looking at my options there. I'm running 64-bit Win 7 Home, upgraded via MS website to the Ultimate version so I could take advantage of TPM and bitlocker security. I also have a recent (Oct 1st) full backup of the boot drive on a separate storage drive, so if there's a file there that I could access and just copy into my existing setup in order to straighten this all out, I could manage that also. Any help would be appreciated!
    BuddyScott

    ReplyDelete
  4. In my case I knew the problem was related to a software installation/configuration issue. The procedure is not meant as a solution to ensure system integrity following any type of system compromise.

    ReplyDelete
  5. That's what I was afraid of. A bit of background: Sunday, I became aware of an issue with Google Chrome that had me puzzled. Multiple tabs were mysteriously opening with an odd-looking address which went nowhere. I copied the address into a Google search and discovered that it represented a virus. The various fixes I found ranged from the exhaustingly detailed to slight daffy sounding, so I went to Symantec to see if they had anything on it. There, I elected to run their Power Eraser, but was careful not to allow it damage anything I recognized as valid. But because the app didn't return anything that looked like what I had been seeing in the various posts I had perused, I backed away from allowing PE to alter anything it returned as suspicious...or so I thought. Monday, when I booted up the computer, I get the black screen and the text you outlined above. I plugged in my USB thumb drive with the recovery key and got up and running, so I'm now wondering if the Norton Power Eraser is responsible for changing the BCD settings or is it the work of the virus? Since then, I haven't had any more Chrome hijackings, so I also wonder if PE took care of something in the background that it didn't make me aware of? In any event, as long as I have the recovery key on the thumb drive, I'm good to go with regard to booting up and I continue to research this as I have time. For what it's worth, in case you're interested, when I had the Chrome issue, the first hijacked tab carried the following address:

    https://photos-a.xx.fbcdn.net/hphotos-prn1/hellocdn.html?v=1

    All subsequent tabs carried this address:

    https://fbcdn-photos-a-a.akamaihd.net/hphotos-ak-prn1/hellocdn.html?v=1

    I'm not the type to go wandering around in dark corners of the Internet and I haven't installed anything lately, so I'm sort of puzzled. Anyway, thanks again for your response and for anyone else out there reading this, if you have any suggestions, I'm all ears!

    bs

    ReplyDelete
  6. Thanks.. i resolved the problem with the instruction. Thank you from argentina

    ReplyDelete
  7. This works for me tooo. Thanks..!

    ReplyDelete